To quote studio head Samuel Goldwyn’s famous malaprop, an oral contract isn’t worth the paper it’s printed on. The same can be said of a written security policy if a company doesn’t carry out its provisions. A proposed FTC settlement with a Texas technology firm alleges the company created a written “Third Party Vendor Risk Management” policy as part of its obligations under the Gramm-Leach-Bliley Safeguards Rule, but didn’t follow through to ensure policies outlined in the document were actually implemented. The upshot: A third-party contractor’s insecure use of cloud-based storage led to the breach of highly sensitive consumer information.
Ascension Data & Analytics provides mortgage-related tech services to other companies in its corporate family. In 2017, an affiliated company hired Ascension to provide services in connection with due diligence for residential mortgages – everything from building systems for storing mortgage paperwork to compliance reviews related to loan originations.
To help fulfill those responsibilities, Ascension hired an unaffiliated company to scan thousands of mortgage documents. Mortgage applications are a gold mine of highly confidential information and typically include an applicant’s tax returns, date of birth, Social Security number, and credit and debit card numbers – pretty much everything but their blood type and favorite ice cream flavor.
So that’s the set-up. Ascension was in possession of sensitive customer data which it turned over to a third-party service provider. Before we ask the inevitable “What could possibly go wrong?” question, let’s turn briefly to the requirements of the Safeguards Rule.
First, the who of the Safeguards Rule. The Rule applies to “financial institutions,” a broad term that may include data processors, investment advisors, real estate settlement businesses, and a wide variety of other entities.
Now the what of the Safeguards Rule. The Rule requires covered institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a written information security program appropriate to the company’s size and complexity, the nature of its activities, and the nature of the information. Among other things, that includes:
- Designating employees to coordinate the program;
- Identifying reasonably foreseeable risks to the security of customer information;
- Designing and implementing safeguards to control those risks, testing the safeguards regularly, and monitoring their effectiveness;
- Overseeing service providers by taking reasonable steps to select providers capable of maintaining appropriate safeguards and implementing those safeguards in contracts; and
- Adjusting the program in light of testing and monitoring, changes to business operations, and other circumstances.
Now back to Ascension and that mountain of confidential mortgage documents. Since at least July 2016, Ascension had a “Third Party Vendor Risk Management” policy purporting to describe the due diligence that designated Ascension staff were supposed to take to evaluate prospective providers. You’ll want to read the complaint for details, but the FTC alleges the company didn’t take those steps. Furthermore, although Ascension’s contracts with service providers included a fleeting reference that “any nonpublic personal information . . . shall be protected from disclosure with all the provisions of the Gramm-Leach-Bliley Act,” the clause didn’t offer any specifics.
The FTC says that in February 2017, Ascension hired that company to scan mortgage documents without vetting the service provider’s security. According to the complaint, the provider stored the documents on a cloud-based server and in a separate cloud-based storage location, but misconfigured both the server and the storage location, leaving the sensitive information of tens of thousands of consumers exposed. Because the service provider hadn’t even used a password, the mortgage documents became an all-you-can-eat buffet to anyone with the internet address of the server or the storage location. The information remained unprotected until about January 2019, when media outlets reported that the information was publicly available online.
The one-count complaint alleges that Ascension violated the Safeguards Rule by failing to oversee service providers, failing to identify reasonably foreseeable risks to the security of customer information, and failing to assess the sufficiency of any safeguards. In addition to complying with the Safeguards Rule in the future, the company has agreed to get every-other-year third-party security assessments. It also must provide an annual certification from a senior corporate manager that it’s complying with the FTC order and is aware of no material noncompliance. If Ascension experiences a security incident that requires it to notify a government agency, it also must notify the FTC. Once the proposed settlement appears in the Federal Register, you’ll have 30 days to file a public comment.
What can other companies learn from this case?
Putting your information security program on paper is the start, not the finish. The problem with many programs that companies design in response to the Safeguards Rule is that they spend too much time in a file folder and not enough time top of mind. The wiser course is to re-evaluate regularly to make sure what’s in your program – for example, procedures addressing employee training, third-party contracting, and monitoring – are carried out in your day-to-day operations.
Vet your vendors. When it comes to security, before selecting vendors, make sure those prospective service providers are up to the task. Ask questions about how they will handle and protect your data, and insist on information about their own security programs. Once you have a service provider in place, don’t just set it and forget it. Ask for updates. What’s more, when conducting your own regular risk assessments, think through any risks your service providers present to your business and your customers’ information and make sure you have controls in place to address those risks.
Spell out your expectations. Security pros avoid pro forma contract terms. Eschew cookie cutter provisions and instead bake in protections and monitoring procedures specifically designed for the work that service providers will do for you.
Maintain appropriate security in the cloud. “Is it safe to store stuff in the cloud?” Experts get asked that a lot, but people may be posing the wrong question. Whether you maintain data with a cloud service provider or in an office file cabinet, the more important consideration is what you do to secure it. Savvy businesses take advantage of the security options offered by cloud providers and exercise particular care to configure settings properly and recheck them regularly. For more information, read Six steps toward more secure cloud computing.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.